b'                                                  September 2, 2003\n\n\n\n\nMEMORANDUM TO:                    William D. Travers\n                                  Executive Director for Operations\n\n\n\n\nFROM:                             Stephen D. Dingbaum/RA/\n                                  Assistant Inspector General for Audits\n\n\nSUBJECT:                          MEMORANDUM REPORT: FOLLOW-UP REVIEW OF\n                                  NRC\xe2\x80\x99S INTERNET USAGE (OIG-03-A-21)\n\n\nIn October 2001, the Office of the Inspector General (OIG) reported that based on an\nassessment over an 8-day period in June 2001, 52 percent of agency employee Internet\nactivity was for personal use.1 Approximately 5 percent of the personal use was in\ndirect violation of NRC policy and was referred to the OIG investigative staff for further\nreview. OIG reported that because of the amount of personal use and the occurrences\nof prohibited use, the Nuclear Regulatory Commission (NRC) needed to enforce its\npolicy for personal Internet usage. The report made five recommendations to the\nExecutive Director for Operations to develop, issue, and communicate a revised Internet\nusage policy and to restrict prohibited Internet activity. The agency has implemented\ncorrective actions in response to the recommendations in the October 2001 audit report.\nThe recommendations and the corrective actions appear on pages three through six of\nthis report.\n\nOIG has completed a follow-up audit on Internet use to determine the status of the\nrecommendations made in the October 2001 audit report, the amount of employee\npersonal Internet use, and the frequency of prohibited Internet activity. The audit was\nintended to provide a general characterization of NRC\xe2\x80\x99s Internet use. A comparison of\nthe January 2003 Internet data to the June 2001 data showed that personal use of the\nInternet remained virtually the same, while prohibited activity (e.g., visiting sexually\nexplicit Web sites) decreased. Specifically, 51 percent of NRC employee Internet\nactivity was for personal use in 2003, compared to 52 percent in 2001. However,\nprohibited activity decreased to less than 1 percent in 2003 from 5 percent in 2001.\nBecause the total amount of personal use remains over 50 percent, this report contains\ntwo recommendations to manage personal use of the Internet at NRC.\n\n\n1\n    Report OIG-02-A-01 entitled Use of the Internet at NRC, dated October 15, 2001.\n\x0cNRC Policy\n\n        Management Directive (MD) 2.7, Personal Use of Information Technology, defines\n        acceptable conditions for NRC employees\xe2\x80\x99 personal use of information technology (IT).\n        MD 2.7 was issued on the basis of recommendations from the Federal Chief Information\n        Officer Council\xe2\x80\x99s Government-wide policy guidance, \xe2\x80\x9cLimited Personal Use of\n        Government Equipment Including Information Technology,\xe2\x80\x9d which provides a backdrop\n        of conditions for an agency to consider when developing a personal use policy for\n        Government office resources. The policy and guidance in MD 2.7 states that personal\n        use of the Internet is acceptable2 when such use:\n\n            \xe2\x80\xa2   Involves minimal or no additional expense to the Government.\n            \xe2\x80\xa2   Is performed during employee non-work time.\n            \xe2\x80\xa2   Does not interfere with NRC\xe2\x80\x99s mission or operation.\n            \xe2\x80\xa2   Does not violate Federal Government Standards of Ethical Conduct.\n            \xe2\x80\xa2   Is not otherwise prohibited by law.\n\n\nPURPOSE\n\n\n        The objectives of this follow-up audit were to:\n\n        1. Review the implementation of corrective actions taken since October 2001 to\n           strengthen management controls over employee personal use of the Internet.\n\n        2. Characterize NRC employees\xe2\x80\x99 use of the Internet to determine whether the\n           use was in compliance with NRC policy.\n\n\n\n\n2\n  MD 2.7 states that the policy and guidance applies to all NRC employees, including Special\nGovernment Employees. NRC contractors are prohibited from personal use of agency\ninformation technology.\n\n\n                                                2\n\x0cRESULTS\n\n      Agency actions taken as a result of the recommendations from the previous OIG\n      report have greatly reduced the amount of prohibited access to Web sites.\n      Based on a 1-week period in January 2003, OIG determined that 51 percent of\n      employee Internet use was for personal use. Prohibited use however declined\n      from 5 percent to less than 1 percent as a result of the agency\xe2\x80\x99s blocking of\n      inappropriate Web sites. Specifics on these matters are described in the\n      following sections.\n\nImplementation of Corrective Actions\n\n      OIG\xe2\x80\x99s October 2001 audit report on Internet use made five recommendations to\n      the Executive Director for Operations to help strengthen management controls\n      over the amount of personal use and to restrict prohibited Internet activity.\n\n          \xe2\x80\xa2   Initiate monitoring of Internet activity.\n\n          \xe2\x80\xa2   Review and clarify MD 2.7 to address Internet activity not currently\n              covered, such as Visual Basic Script file type downloads.\n\n          \xe2\x80\xa2   Revise NRC Management Directives, as appropriate, to ensure NRC\xe2\x80\x99s\n              Internet use policy covers persons other than NRC employees who use\n              NRC computers to access the Internet.\n\n          \xe2\x80\xa2   Restrict prohibited Internet activity using software or other means.\n\n          \xe2\x80\xa2   Issue a Yellow Announcement, or other appropriate communication,\n              advising employees and other affected users of the agency\xe2\x80\x99s revised\n              policy and emphasizing that management will not tolerate prohibited\n              activity.\n\n      The agency took the following actions in response to these recommendations.\n\n\n              Initiate monitoring of Internet activity\n\n\n      The Office of the Chief Information Officer (OCIO) monitors Internet activity\n      monthly using a software product that basically shows a trend analysis of Internet\n      use for the agency. This software is not used to monitor individual use, but\n      rather provides information such as general agency statistics, the most popular\n      sites visited, activity levels for the different time periods, and other information.\n\n\n\n\n                                               3\n\x0cOCIO recognizes its duty to help ensure the integrity of the agency by not only\nmonitoring but also by providing tools to assist NRC managers in evaluating staff\nuse of the Internet.\n\n       Review and clarify Management Directive 2.7 to address Internet\n       activity not currently covered, such as Visual Basic Script file type\n       downloads\n\nOCIO examined MD 2.7 and found it adequate as written with respect to\npersonal use by NRC employees. MD 2.7 states that personal use of agency IT\nis a privilege, not a right, and employees should not have the expectation of\nprivacy while using agency IT systems. By using agency IT systems, employees\nacknowledge their consent to disclosing the contents of any files or information\nmaintained in the systems.\n\n       Revise NRC Management Directives, as appropriate, to ensure\n       NRC\xe2\x80\x99s Internet use policy covers persons other than NRC\n       employees who use NRC computers to access the Internet\n\nIn response to the OIG finding that contractors used the Internet inappropriately,\nNRC issued a new procurement instruction. This instruction reflects MD 2.7\xe2\x80\x99s\nprohibition of personal use of agency information technology by contractors. The\nDivision of Contracts and Property Management (DCPM) Instruction 02-01,\nissued March 4, 2002, specifically prohibits personal use of IT equipment by\ncontractors. DCPM Instruction 02-01 states that the contractor must be held\nresponsible for monitoring its employees, consultants, and subcontractors to\nensure that NRC-furnished IT equipment and/or IT access is not used for\npersonal activities, misused, or used without proper authorization. To implement\nthis policy, NRC\xe2\x80\x99s Division of Contracts requires all solicitations, contracts, or\ndelivery orders that allow contractor staff access to NRC IT equipment and\nservices to include the clause, \xe2\x80\x9cAppropriate Use of Government Furnished\nInformation Technology (IT) Equipment and/or IT Services/Access.\xe2\x80\x9d\n\n       Restrict prohibited Internet activity using software or other means\n\nIn November 2002, OCIO began using software that places a filter to block\ninappropriate Web sites. When such a site is accessed, the network displays a\nmessage explaining that the site is blocked and why it is inappropriate. A sample\npicture of the message is displayed below.\n\n\n\n\n                                     4\n\x0c   Issue a Yellow Announcement, or other appropriate communication,\n   advising employees and other affected users of the agency\xe2\x80\x99s revised\n   policy and emphasizing that management will not tolerate prohibited\n   activity\n\nA Yellow Announcement was issued in December 2001 and in February 2003 to\nremind employees of NRC\xe2\x80\x99s Internet limited personal use policy. It stated that\nNRC employees must exercise common sense, good judgment, and propriety in\nthe use of this valuable resource. The announcement reminded the staff that\nNRC allows employees to access the Internet for limited personal use when such\nuse involves minimal or no additional expense to the Government, is performed\non the employee\xe2\x80\x99s non-work time, does not violate the Standards of Ethical\nConduct for Employees, and is not otherwise prohibited by law.\n\n\n\n\n                                   5\n\x0cCharacterization of Current Internet Use\n\n        During a 1-week period in January 2003, 51 percent of NRC employee Internet\n        activity appeared to be for personal use. Although each individual accessing the\n        Internet may not be a problem, the composite total of personal Internet use is\n        over 50 percent. NRC currently does not employ a management tool that\n        enables individual use to be routinely monitored. Thus, the agency could\n        experience a public relations issue in the future if the public perceives this rate as\n        excessive.\n\n        Internet use is largely personal\n\n        As part of its assessment of employee3 Internet use for a 1-week period in\n        January 2003, OIG analyzed accessed Web sites that represented about 75\n        percent of all sites visited for that week.\n\n        To analyze Internet use, OIG used data that provided the volume of information\n        transferred4 to the employees\xe2\x80\x99 computers. Internet activity was categorized as\n        business or personal. In addition, some Web sites could have been accessed for\n        either business or personal reasons and were therefore categorized as mixed\n        use in this report. Examples of mixed use are news sites and search engines\n        such as www.google.com. The analysis did not break out non-working hours\n        from working hours. In addition, the analysis did not determine actual time spent\n        using the Internet.\n\n\n\n\n3\n  Employee use included use of the Internet by NRC contractors. OIG included contractor use\nbecause contractors are accessing the Internet for personal use.\n4\n  This information transfer is referred to in this report as activity and indicates the actual number\nof bytes of information that were transferred to an employee\xe2\x80\x99s computer from the logs. The logs\ndo not provide duration or the amount of time the site is in use.\n\n\n                                                   6\n\x0c                    Comparison of Internet Use in 2003 and 20015\n\n\n                                  January 2003 Internet Usage\n\n                    Mixed Use\n                                                                           Business\n                       21%\n                                                                             28%\n\n\n\n\n                                    Personal\n                                      51%\n\n\n\n\n                                    June 2001 Internet Usage\n\n                                                                      Business\n                Mixed Use\n                                                                        21%\n                   27%\n\n\n\n\n                                                       Personal\n                                                         52%\n\n\n\n\n5\n  The 2001 analysis was based on the number of bytes of information transferred to an\nemployee\xe2\x80\x99s computer over an 8-day period in June 2001, while the 2003 data was based on a 1-\nweek period in January 2003. The 2001 analysis was based on a review of the logs similar to\nthose used for the 2003 analysis.\n\n\n\n\n                                               7\n\x0cLocal and national news Web sites such as the Washington Post, CNN, and USA\nToday dominate the mixed use category. Those Web sites were not placed in\neither the business or personal use category because they can be used for both\nreasons.\n\nThe agency does not monitor Internet use by individuals. While each individual\ninstance of Internet use could well be within the agency\xe2\x80\x99s de minimis use policy,\nthe total personal use is so high that it leaves NRC vulnerable to criticism for\nexcessive employee time on the Internet.\n\nProhibited use of the Internet\n\nA further breakdown of the personal Internet use in 2003 and 2001 is shown in\nthe following charts which detail the wide variety of Web sites that employees\naccessed. The individuals who abused the usage policy by accessing prohibited\nWeb sites, including sexually explicit, gambling, and hate sites, were referred to\nOIG\xe2\x80\x99s investigative staff. However, prohibited use of the Internet decreased from\n5 percent in 2001 to less than 1 percent in January 2003. Thus, the filtering\nsoftware blocking prohibited Web sites is effective at decreasing this kind of\nactivity. However, some instances still occur when individuals visit locations\nwhere filtering does not work, such as e-mail or instant messaging. Subsequent\nto our fieldwork, management officials stated that the issue of bypassing the\ncontent filtering by using instant messaging has been resolved by blocking\ninstant messaging capability for the agency. Visits to these types of Web sites\nare significant because the site contents may be offensive to others and could\nlead to potential legal liabilities for the agency. NRC needs to continue to send a\nstrong message about inappropriate Internet use.\n\n\n\n\n                                      8\n\x0c                              Internet Use in 2003 and 2001\n\n\n                             January 2003 Personal Internet Usage\n\n                                       Misc                        Financial\n                    Pictures           10%                           12%\n                      6%\n                                                                                      E-mail\nRelationships\n                                                                                       16%\n     8%\n\n\n\n\n                                                                                Shopping\n          Entertainment\n                                                                                 16.6%\n              26%                                              Sports\n                                                  Prohibited\n                                                    0.3%        5%\n\n\n\n\n                              June 2001 Personal Internet Usage\n\n                                Misc                                Financial\n                                16%                                   17%\n\n   Relationships\n        7%\n\n\n\n                                                                                 E-mail\n Entertainment                                                                    16%\n     11%\n                Prohibited\n                   5%             Sports                            Shopping\n                                   10%                                18%\n\n\n\n\n                                              9\n\x0c    Conclusion\n\n    During non-work time, NRC employees are allowed to use information\n    technology resources, including the Internet, for personal reasons when that use\n    is in accordance with NRC\xe2\x80\x99s limited use policy. More agency action is needed to\n    enforce contractor and employee personal Internet usage requirements.\n\n    Because personal use is high as compared to the amount of overall Internet\n    activity, NRC could suffer adverse publicity if the perception is that employees\n    are spending excessive time pursuing personal interests at the expense of their\n    work responsibilities.\n\nRECOMMENDATIONS\n\n    OIG recommends that the Executive Director for Operations:\n\n    1.     Provide management tools that will assist NRC managers and\n           supervisors to evaluate Internet usage within their organization to\n           (1) determine if their organizations are adhering to the agency\xe2\x80\x99s de\n           minimis Internet use policy and (2) take corrective actions where\n           necessary.\n\n    2.     Develop and implement an approach to periodically make NRC managers\n           aware of their responsibilities regarding minimal employee use of the\n           Internet.\n\nAGENCY COMMENTS\n\n    On August 4, 2003, OIG discussed its draft report with agency senior executives\n    who generally agreed with the report recommendations. This final report\n    incorporates agency comments, where appropriate.\n\nSCOPE AND METHODOLOGY\n\n    The scope of this audit was generally limited to analysis and evaluation of the\n    Internet use during a 1-week period in January 2003. OIG reviewed NRC\xe2\x80\x99s\n    current Internet usage policy. OIG also met with NRC officials in NRC\xe2\x80\x99s OCIO.\n    To perform this review and build a profile of employee usage, OIG obtained\n    firewall logs from the agency for the period under review. These firewalls contain\n    logs of Web sites visited; the breakdown used for OIG\xe2\x80\x99s analysis looked at Web\n    pages visited and did not take into consideration instant messaging and chat\n    rooms. The 1-week period that OIG selected occurred slightly over 1 month after\n    the filtering software was in place to ensure that data analysis would take into\n    consideration the filtering of inappropriate Web sites. OIG determined the\n    amount of information transferred from each Web site. This information transfer\n    (termed activity) indicates the actual number of bytes of information that were\n    transferred to an employee\xe2\x80\x99s computer through the proxy server. OIG analyzed\n\n\n                                        10\n\x0cabout 75 percent of all agency Internet use for a 1-week period by reviewing\n1,400 Web sites accessed in January 2003.\n\nOIG trimmed each full Internet address shown in the firewall log to a base\naddress and reviewed the material at the address to evaluate its probable use.\nBased generally on the material at the Web page accessed, OIG determined\nwhether the use was business, personal, or a combination of personal and\nbusiness reasons. OIG could not determine whether employees were spending\ninappropriate amounts of time using the Internet for personal reasons because\nfirewall logs provide insufficient information to make such a determination.\n\nThe audit was conducted from January through May 2003 in accordance with\ngenerally accepted Government auditing standards and included a review of\nmanagement controls related to the objectives of the audit.\n\nThe major contributors to this report were Beth Serepca, Audit Manager, and\nRebecca Underhill, Management Analyst.\n\ncc:    Chairman Diaz\n       Commissioner McGaffigan\n       Commissioner Merrifield\n       William Dean, OEDO\n\n\n\n\n                                    11\n\x0cDocument Location: WORD DOC\\G:\\Audit\\03-a-21\\Final Report.doc\n\n\n\nDistribution\nOIG Chron\nAIGA Chron\nFile: 03-a-21\nRUnderhill\nBSerepca\n\n\nOIG            OIG        OIG         OIG           OIG         OIG\nRUnderhill     BSerepca   TLipuma     SDingbaum     DLee        Hbell\n08/ /03        08/ /03    08/ /03     03/ /03       03/ /03     03/ /03\nOfficial File Copy\n\n\n\n\n                                12\n\x0c'